Show filters
78 Total Results
Displaying 1-10 of 78
Sort by:
Attacker Value
Unknown
CVE-2023-35116
Disclosure Date: June 14, 2023 (last updated November 08, 2023)
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
0
Attacker Value
Unknown
CVE-2021-46877
Disclosure Date: March 18, 2023 (last updated October 08, 2023)
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
0
Attacker Value
Unknown
CVE-2020-10650
Disclosure Date: December 26, 2022 (last updated October 08, 2023)
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.
0
Attacker Value
Unknown
CVE-2022-42003
Disclosure Date: October 02, 2022 (last updated December 20, 2023)
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
0
Attacker Value
Unknown
CVE-2022-42004
Disclosure Date: October 02, 2022 (last updated October 08, 2023)
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
0
Attacker Value
Unknown
CVE-2020-36518
Disclosure Date: March 11, 2022 (last updated October 07, 2023)
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
0
Attacker Value
Unknown
CVE-2021-20190
Disclosure Date: January 19, 2021 (last updated November 08, 2023)
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
0
Attacker Value
Unknown
CVE-2020-36183
Disclosure Date: January 07, 2021 (last updated October 07, 2023)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
0
Attacker Value
Unknown
CVE-2020-36179
Disclosure Date: January 07, 2021 (last updated November 08, 2023)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
0
Attacker Value
Unknown
CVE-2020-36180
Disclosure Date: January 07, 2021 (last updated October 07, 2023)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
0
